This is no kidding folks.

V/R
Mark Oehlert

Opera is available at http://www.opera.com/
Firefox is available at http://www.mozilla.org/products/firefox/
US-CERT is at http://www.us-cert.gov/
Instructions on How to Protect Your Computer Are at http://www.
washingtonpost.com/wp-dyn/articles/A5572-2004Jun25.html

**Also feel free to email me if you would like to try the other
browsers and have any questions.**
PC Users Warned of Infected Web Sites


By Brian Krebs
washingtonpost.com Staff Writer
Friday, June 25, 2004; 4:37 PM


Computer security experts and the federal government are warning
Internet users to take extra precautions when browsing the Web after
an Internet attack seeded Web sites with programs that hackers can use
to steal personal information.

The attack is more dangerous than most, according to the government's
US-CERT cybersecurity center, because infection is possible just by
visiting affected Web sites, according to US-CERT, a division of the
U.S. Department of Homeland Security.

The attackers, whose identities are unknown, targeted a flaw in Web
sites powered by Microsoft's Internet Information Services Web server
(IIS). The sites hit by the attack were programmed to redirect the
Explorer browser to another Web site that contains code that hackers
use to record what people type on their keyboards -- including data
such as passwords, credit card and Social Security numbers. The code
then e-mails that information back to the attackers.

Computers that run Microsoft's Internet Explorer browsers are
vulnerable to infection, according to US-CERT. The CERT warning said
Internet Explorer users can protect themselves by turning off the
"javascript" function in their browsers. Javascript is a computer
language often used in building Web sites. The attack takes advantage
of two recently discovered security flaws in Internet Explorer.
Microsoft released a patch in April to fix one of the security holes;
the company is still working on a patch for the other flaw, which
security researchers publicly detailed less than two weeks ago.

CERT recommends that Internet Explorer users consider different
browsers such as Mozilla Firefox, Netscape Communicator or Opera. For
people who continue to use Internet Explorer, CERT and Microsoft
recommend setting the browser's security setting to "high."

Among the several Web sites hit were kbb.com, the Internet address of
the Kelley Blue Book automobile pricing guide, and MinervaHealth, a
health care financing company based in Jackson, Wyo.

Robyn Eckard, a spokeswoman for the Irvine, Calif.-based Kelley Blue
Book, said the company learned about the problem late Wednesday after
Web site visitors said their antivirus software tipped them off to the
code. Eckard said Kelley Blue Book removed the malicious code from its
site by late Thursday afternoon.

Jennifer Scharff, vice president of marketing for the company
MinervaHealth, said some of the company's clients reported the problem
on Thursday. The company has since fixed its site, she said. Scharff
said no more than 50 visitors browsed the Web site during the time it
was serving up the hostile code.

In addition, at least one auction page on the eBay online auction site
contained a photograph that links to an infected Web site, said
Johannes Ullrich, chief technology officer for the Bethesda, Md.-based
SANS Institute's Internet Storm Center.

Security experts said that the attack reveals the evolution of
"phishing" scams, a form of fraud designed to trick people into giving
up their personal data to criminals who have designed Web sites to
look like those of respectable companies.

Phishing scams are one of the most widespread types of online fraud
today, prompting the Federal Trade Commission, the Better Business
Bureau and many other companies and consumers' groups to find ways to
teach people to avoid getting scammed. "Phishers" normally persuade
people to visit fake Web sites by enticing them through e-mail
messages.

Thursday's Web site attack is a new direction for online criminals,
said Dave Endler, director of digital vaccine for TippingPoint, an
Internet security company based in Austin, Texas. "Instead of relying
on the typical phishing e-mail scams to social engineer users into
visiting malicious spoofed Web sites, these attackers actually went
straight to the source and compromised known trusted Web sites in
order to infect their visitors," he said.

Joe Stewart, senior security researcher for Chicago-based Internet
security firm LURHQ, said that the programs installed on victims'
computers were designed to wait until the user visited a Web site like
Paypal or Ebay. If the program had worked correctly, people would have
seen pop-up screens on their monitors asking them to enter their
credit card numbers or other financial data.

"Phishing has moved from an e-mail attack to one that's really being
brought to the desktop," Stewart said.

Ken Dunham, malicious code manager for Reston, Va.-based security
company iDefense, said the attack bears the trademark signatures of
the Hangup Group, a Russian hacker organization thought to be
responsible for unleashing the recent "Korgo" worms. Korgo worms allow
hackers to read what people are typing on their computers and scours
infected PCs for other financial information.

According to SANS, most large Internet service providers stopped
forwarding Internet traffic to the Russian Web site that hosts the
"keylogging" software.

FBI spokesman Joe Parris declined to say whether the agency is
investigating this particular attack. But Parris said hackers commonly
use similar Trojan horse techniques. "We work closely with Microsoft
in investigating matters of this type and always follow up on any
information provided by industry," he said.

Dunham and other security experts said they expect this kind of attack
to become more widespread in coming weeks and months.

"These guys have the tools, techniques and motivation to launch highly
sophisticated attacks that are very difficult for consumers to protect
themselves against," he said. "Whoever is responsible has just seen
how well this attack works, and other (hacker groups) are almost
surely going to take notice."

Stephen Toulouse, a security program manager at Microsoft, said the
company does not believe the attack is widespread. "Nonetheless, we
view this is a very real threat, with serious significance in terms of
the potential impact on our customers," he said.

Toulouse said the company is gathering information on the attack and
will hand it over to the FBI.

Security experts said it is not yet clear which Microsoft
vulnerability the attackers used to commandeer the Web sites. Ullrich
said the culprit is a flaw in the way IIS processes secure login pages
for Web sites that require users to enter a username and password.
Microsoft released a patch for that flaw in April in a massive bundle
of security fixes.

Toulouse said that the proprietors for the majority of sites affected
by the attack failed to install the patches.

Here are instructions on how to protect your computer.